Circular Letters

Circular Letter 5597

To: All Member Banks and Others Concerned in the Third Federal Reserve District

Attention: Chief Executive Officer and Chief Financial Officer

Subject: Request for Comment on Interagency Guidance on Programs to Protect Against Identity Theft

Summary:

The federal
bank and thrift regulatory agencies request public
comment on proposed guidance that would require financial
institutions to develop programs to respond to incidents
of unauthorized access to customer information, including
procedures for notifying customers under certain circumstances.

The proposed guidance interprets the interagency
customer information security guidelines, issued in
February 2001, that require financial institutions
to implement information security programs designed
to protect their customers’ information. The
proposed interpretation describes the components of
a response program and sets a standard for providing
notice to customers affected by unauthorized access
to or use of customer information that could result
in substantial harm or inconvenience to those customers,
thereby reducing the risk of losses due to fraud or
identity theft.

The proposed guidance states that “an institution
should notify affected customers when it becomes aware
of unauthorized access to sensitive customer information
unless the institution, after an appropriate investigation,
reasonably concludes that misuse is unlikely to occur
and takes appropriate steps to safeguard the interests
of affected customers, including monitoring affected
customers’ accounts for unusual or suspicious
activity.”

The Board of Governors of the Federal Reserve System,
the Federal Deposit Insurance Corporation, the Office
of the Comptroller of the Currency, and the Office
of Thrift Supervision are requesting public comment
on all aspects of this proposal, including whether
the agencies have identified the appropriate standard
for financial institutions to provide notice to their
customers.

Comment on the proposed guidance is requested by
October 14, 2003. Specific information on how to file
a comment is contained in the Federal Register notice
published August 12, 2003, a copy of which is attached(54 KB, 2 pages).